On Tuesday, HHS announced that an Arizona physician practice has agreed to pay $100,000 to the agency to settle allegations that it violated HIPAA privacy and security rules, Health Data Management reports.
HHS' Office for Civil Rights started investigating Phoenix Cardiac Surgery after receiving reports that the physician practice was posting clinical and surgical appointments on a publicly accessible online calendar (Goedert, Health Data Management, 4/17).
OCR's investigation found that the physician practice "had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' electronic protected health information." OCR noted that the physician practice had failed to:
- Document employee training on HIPAA privacy and security rules;
- Identify a data security official;
- Conduct a security risk analysis; and
- Obtain a business-associate agreement with the vendor supplying the online appointment system (Conn, Modern Physician, 4/17).
Leon Rodriguez, director of OCR, said the "case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with" HIPAA privacy and security rules (Health Data Management, 4/17).
In addition to paying the $100,000 fine, Phoenix Cardiac Surgery agreed to implement corrective actions to protect patient information (Modern Physician, 4/17).